Privacy

PRIVACY STATEMENT PURSUANT TO ART. 13 OF THE EU GENERAL DATA PROTECTION REGULATION 2016/679 (GDPR)

ISMETT is a center of excellence operating in the field of transplant and highly specialized therapies. ISMETT has received accreditation from Joint Commission International (JCI), an international body certifying compliance with quality and safety standards acknowledged by the international scientific community. ISMETT provides state-of-the-art medical services also thanks to the experience and know-how of UPMC (University of Pittsburgh Medical Center) and of the other hospitals of the UPMC group, through an ongoing exchange of information and shared technology systems.

ISMETT is a center of excellence operating in the field of transplant and highly specialized therapies. ISMETT has received accreditation from Joint Commission International (JCI), an international body certifying compliance with quality and safety standards acknowledged by the international scientific community. JCI is a non-governmental independent body providing quality certification. JCI is supported by experts in all specialties who assess the entire hospital facility (the clinical and the organizational aspects), according to internationally-accepted criteria, for the purpose of ensuring patient safety.

ISMETT was created by a partnership between the Region of Sicily and UPMC (University of Pittsburgh Medical Center) based in Pittsburgh, Pennsylvania, U.S. This partnership was born from the need to provide state-of-the-art clinical services using the experience and know-how of UPMC and of its network of hospitals (“UPMC Group“), through an ongoing exchange of information. In order to ensure a close collaboration with these top international facilities, ISMETT’s management was entrusted to UPMC Italy (“UPMCI“), the Italian subsidiary of the UPMC Group. In its day-to-day operations, ISMETT also utilizes data networks and information technology systems shared with the UPMC Group. As a consequence of this integrated organization, patients referring to ISMETT authorize the transfer of their data[1]including sensitive data, to the UPMC Group in the United States. According to EU regulations, the laws in force in the United States fail to guarantee adequate levels of personal data protection. Pursuant to the standard contractual clauses approved by the European Commission, the UPMC Group committed to adopt the necessary security measures to protect patient data. A copy of the standard contractual clause is available from the Data Protection Officer (“DPO”) at the following addresses.

[1]The Regulation refers to sensitive data as “special categories of personal data” revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data and biometric data for purpose of uniquely identifying a natural person, data concerning health or data concerning the natural person’s sex life or sexual orientation.

The Center will ask you or third parties (e.g., your family doctor) to provide your personal data (name, address, etc.), information on your health status (diseases, laboratory and diagnostic test results, ongoing therapies) and, if required, on your sex life or social and psychological sphere. During your treatment it may be necessary to obtain images of you for purpose of consults performed, also using telemedicine, by external experts to assess your state of health. To safely verify your identity you will be asked to wear an ID bracelet containing your personal information (name, surname, date of birth, patient code and visit code) by means of RFID (radio frequency identification) technology. This device allows to associate you in a safe and reliable manner to your laboratory tests, test tubes, blood units, and other necessary information.

Your personal data will be collected and processed so that you can receive the necessary clinical services (outpatient procedures, admissions, and in general, patient care, diagnosis, rehabilitation, and prevention) and also to fulfill the related administrative and accounting requirements. For these purposes, your personal data may be shared with third parties (e.g., family doctors and pediatricians, NHS, or other supervisory bodies)

Your personal data will be collected and processed so that you can receive the necessary clinical services (outpatient procedures, admissions, and in general, patient care, diagnosis, rehabilitation, and prevention) and also to fulfill the related administrative and accounting requirements. Data processing complies with the provisions of art. 9.2.h of the Regulation (“processing is necessary for the purposes of medical diagnosis, the provision of health or social care pursuant to contract with a health professional”).

To this extent your data may be shared with the following:

  • family doctors and pediatricians;
  • social security institutions, insurance companies covering the Center’s third-party liability or offering additional patient care services, and legal consultants to the Center and its staff;
  • NHS, institutions, and municipalities for audits on social services or their activation; diplomatic seats involved, or other medical institutions, bodies, and authorities monitoring the provision of clinical services; bodies such as JCI, OHSAS, and ISO for purpose of certification, and other third parties carrying out quality audits on the clinical services provided, to promote quality improvement of services and patient care;
  • public and private hospitals (for tests and exams that cannot be performed at ISMETT), the national and regional transplant centers, diseases registries, public and private research centers, and for any other legal obligation.

With the purpose of improving its clinical services and contributing to general medical knowledge, ISMETT is involved in several research projects (both internal and in collaboration with other EU and non-EU centers). Namely, ISMETT carries out research activity in the following areas: organ transplantation and end-stage organ failure; surgical and diagnostic and interventional radiology and endoscopy techniques; regenerative medicine; clinical immunology and immunotherapy; infectious diseases and molecular medicine; information and communication technology in health care. These research projects are carried out without affecting standard care, and entail no additional tests or treatments. All necessary measures are implemented to guarantee the patient’s privacy (e.g., deletion of personal data and data encryption). No genetic data will be collected for these projects. In order to use the data and samples for research purposes, the patients must provide their consent, notwithstanding their right to withdraw it at any time with no consequence on the care they receive. The Center also intends to participate in research projects regulated by laws, in the above mentioned areas, that do not require the consent from patients. Data and samples used for research purposes are transformed in an anonymous form 10 years after the conclusion of the research projects. A list of the ongoing studies at ISMETT is available at www.ismett.edu.

With the purpose of improving its clinical services and contributing to general medical knowledge, ISMETT is involved in several research projects (both internal and in collaboration with other EU and non-EU centers). Namely, ISMETT carries out research activity in the following areas: organ transplantation and end-stage organ failure; surgical and diagnostic and interventional radiology and endoscopy techniques; regenerative medicine; clinical immunology and immunotherapy; infectious diseases and molecular medicine; information and communication technology in health care.

Many of these studies can be performed using information already collected during: (i) normal patient care activities; (ii) previous clinical studies; (iii) from biological samples collected for patient care and stored at ISMETT in the biological material storage systems of the Pathology Laboratory and of laboratories of the Department of Laboratory Medicine and Advanced Biotechnologies. Participating to these research projects does not affect standard care and entails no additional tests or treatments. During the study no genetic data (information on inherited or acquired characteristics providing information on a person’s physiology or health, and resulting from the analysis of a biological sample) will be collected.

In order to protect the privacy, patient ID data is removed from the information, clinical data, and biological samples used for these studies, and replaced with an alphanumerical code that does not allow to trace the patient’s identity. The list that allows to associate this code with the patient’s personal data is owned exclusively by the principal investigator and filed as confidential documentation.

In particular, encoded data is used during information processing and storage, and when forwarding data to other subjects involved in the study (the list of the centers involved in the studies is available from Office of Research submitting a request to responsabileprivacyufficioricerca@ismett.edu. Access to data directly ascribable to the patient will only take place when extracting information from the original clinical documentation, while checking for correspondence between research data and data in medical records, or when this is required to update the research data. Data and samples are transformed in an anonymous form 10 years after the conclusion of the research projects. Encryption techniques are also adopted for data storage and transfer to prevent unauthorized access. Research outcomes are spread only in aggregated form, i.e. in ways that do not render identifiable the person concerned.

A list of the ongoing studies, divided by areas, is available at the Center and at www.ismett.edu. For further information you may contact the principal investigators or the Data processing reference person at the Office of Research.

In order to use a patient’s biological samples and clinical information for research purposes, the patient must express his/her consent under art. 9.2-a of the Regulation (“data subject explicit consent to the processing”), as legal basis for data processing. To authorize ISMETT (also in collaboration with centers in non-EU countries where adequate levels of personal data protection may not be guaranteed as per EU regulations, but that will nonetheless guarantee the measures prescribed by art. 46 et seq. of the Regulation) to use your clinical information and your samples collected in the scope of patient care (or during other research projects that you were involved in) please express your consent ticking the appropriate boxes at the end of this document. Please note you are free to either give or deny your consent. You may deny or withdraw your consent to the processing of your data and samples for research purposes at any time, and this will not affect your treatment in any way. In this case the biological sample, if still attributable to you, will be destroyed (except for preservation for care purposes only).

The Center also intends to participate in research projects regulated by laws, in the above mentioned areas. In order to use data in the scope of these studies patient consents are not required as these are provided for by the Regulation (art. 9.2.J “Scientific research under law”). Also in this case, data and samples are transformed in an anonymous form 10 years after the conclusion of the research projects.

The Center monitors and evaluates the effectiveness of the clinical treatments delivered, the appropriateness and quality of care, and the risk factors for health as provided by law (for which no expression of consent is required), and to improve quality of care and reach high safety standards, which on the contrary require a patient consent. You are free to give or refuse your consent without any repercussion on the care you will receive.

ISMETT is committed to monitor and assess the effectiveness of the patient care delivered, its appropriateness and quality as well as clinical risk factors beyond those provided for by law. In particular, the goal of ISMETT is to assess and compare the appropriateness, efficacy, effectiveness and efficiency of care delivered to different population groups or in different facilities, also with reference to specific diseases or health issues. In order to use patients’ personal data for these purposes, it is necessary for patients to give their consent, under art. 9.2-a of the Regulation (“data subject explicit consent to the processing”), as legal basis for data processing. If you wish to authorize ISMETT to process your data, including data collected in the past, to conduct these important tests that could provide useful information for your treatment, please give your consent ticking the appropriate box at the bottom of this document. If you refuse to provide consent, we will not use your data for these tests, but you will still be able to receive care at the Center. ISMETT will be involved in surveillance systems and registries provided for by the law to collect data on diseases and risks for patients. In order to use data in the scope of these studies patient consents are not required as these are provided for by the Regulation (art. 9.2.i “processing is necessary for ensuring high standards of quality and safety of health care and of medicinal products or medical devices, under the law”).

If you sign the consent you will receive information on ISMETT’s projects and services, information campaigns, and fund raising initiatives.

If you sign the consent you will receive information on ISMETT’s projects and services, information campaigns, and fund raising initiatives. For this purpose, the legal basis for data processing is the consent under art. 9.2-a of the Regulation (“data subject explicit consent to the processing”). Your data will be stored for 24 months. If you do not give consent you will not receive this information material.

If you sign the consent you will receive information concerning your plan of care, reminders of upcoming appointments at ISMETT, and instructions on how to prepare for your scheduled tests. You will receive this information by email or by phone, according to your indications.

If you sign the consent you will receive information concerning your plan of care, reminders of upcoming appointments at ISMETT, and instructions on how to prepare for your scheduled tests. You will receive this information by email or by phone, according to your indications. Also for this purpose, the legal basis for data processing is the consent under art. 9.2-a of the Regulation (“data subject explicit consent to the processing”). If you do not give consent you will not receive this information. You will need to retrieve them at ISMETT without prejudice to your right to receive care at the Center.

Ove Lei acconsenta, Le invieremo i piani terapeutici, le norme di preparazione agli esami che dovrà effettuare e Le ricorderemo la data delle Sue prossime visite presso l’Istituto, utilizzando i mezzi da Lei indicati.

Anche per tale finalità la base giuridica del trattamento è rappresentata dal consenso (art. 9.2.a) del Regolamento – “consenso esplicito dell’interessato al trattamento”). Ove Lei non dovesse esprimere il proprio consenso, non potremo inviarle i predetti documenti, che dovrà provvedere a ritirare presso l’Istituto, potendo comunque usufruire delle cure prestate dall’Istituto stesso.

If you sign the consent, an electronic file called dossier will be created to allow clinicians to access all documentation on the procedures you received at ISMETT, also in the past. This tool enables clinicians to access more complete information on your health status (clinical history), improving your treatment. The dossier can only be activated with your consent. If you refuse consent, clinicians will only have access to selected information regarding a specific treatment, but you will still receive care at the Center. You may decide for specific information to not be included in your dossier asking the Director of Health Care Activities to “obscure” the information. To file this request please e-mail direzionesanitariaprivacy@ismett.edu.

The Center is equipped with an electronic file called dossier that allows clinicians to access all documentation on the procedures you received at ISMETT, also in the past. This tool enables clinicians to access more complete information on the patient’s health status (clinical history) improving the treatment, and can only be activated with the patient’s consent.

Therefore, only after you express consent to the creation of your dossier (under art. 9.2-a of the Regulation “data subject explicit consent to the processing”, as legal basis for data processing) ISMETT clinicians will be able to access information regarding the procedures you received at ISMETT, also in the past. You may decide for specific information to not be included in your dossier asking the Director of Health Care Activities to “obscure” the information. To file this request, contact direzionesanitariaprivacy@ismett.edu. In the same way, you may refuse your consent to the inclusion of further data in your dossier at any time, while continuing to be treated at ISMETT, as well as revoking your decisions at any given time. You will be asked to sign an express consent to include in your dossier data requiring a higher protection of anonymity (e.g., information on sexual assaults or pedophilia, voluntary termination of pregnancy, HIV infection, and use of drugs/psychotropic substances/alcohol).

If you do not give your consent to the creation of your dossier, physicians and clinicians will only be able to access data relating to that particular treatment. Notwithstanding your right to consent to the creation of your dossier, please note that if these clinicians are not able to access information on specific tests or treatments, it may negatively affect your treatment, entailing a release of liability for the clinicians.

Finally, please note your dossier could be accessed, also without your consent, should this be deemed necessary to protect the physical safety of a third party or of the community.

Data processing is performed using both paper and electronic tools, adopting appropriate safety measures to guarantee data confidentiality and security.

Data processing is performed using both paper and electronic tools, adopting appropriate safety measures to guarantee data confidentiality and security.

Your personal data will be disclosed to the clinical and administrative staff of ISMETT and UPMCI duly appointed, according to specific instructions and bound by professional secrecy and confidentiality. For training purposes, clinical treatments may be performed in the presence of medical students. All necessary precautions will be taken to limit any potential inconvenience, and your will to not give your consent will be respected.

Your personal data could be shared with third parties providing ancillary services to ISMETT, or in fulfillment of the governing law. You may access the updated list of the informed parties by filing a request to the Data processing reference person at the Office of the Director of Health Care Activities or to the Data Protection Officer, contacting them at the addresses provided below.

Your personal data will be processed by the clinical and administrative staff of the Center and UPMCI, according to specific instructions on the aim and methods of the processing, and bound by professional secrecy and confidentiality. For training purposes, clinical treatments may be performed in the presence of medical students. In this event, all necessary precautions will be taken to limit any potential inconvenience and your will to not give your consent will be respected.

Beside the parties listed in item 1, your personal data may also be shared with third parties, who, as independent data controllers or appointed data processors, provide ancillary services to activities of ISMETT, such as:

  • external consultants,
  • volunteer associations for patient care activities,
  • catering companies for hospitalized patients,
  • maintenance firms, and
  • other subjects providing services instrumental to the Center’s operations.

Your personal data could be shared with Independent Data Controllers, in fulfillment of the governing law or to enforce ones’ rights through legal action (e.g., NHS, institutions, municipalities, social security institutions, national and regional transplant centers, diseases registries, or insurance companies).

The updated list of hospitals part of the UPMC Group and of Data Controllers and Independent Data Controllers having access to data is available from the Data processing reference person at the Office of the Director of Health Care Activities or from the Data Protection Officer, at the addresses below.

Information regarding your health status and presence at ISMETT will only be provided to your relatives and friends, without prejudice to the provisions of law.

Your personal data will be stored for the mandatory minimum retention period established by the Region of Lombardy in the “Massimario di scarto” enforced for the health care system. For more information, please contact the Data processing reference person at the Office of the Director of Health Care Activities or the DPO at the addresses below.

In addition please note your personal data will be stored for the mandatory minimum retention period established by the Region of Lombardy in the “Massimario di scarto” enforced for the health health system (Version #4, “Titolario e Massimario del Sistema Sociosanitario Lombardo, già Sistema Sanitario e Sociosanitario di Regione Lombardia” approved by Legislative decree on welfare 11466 of 17 December 2015 and subsequent additions and amendments) and by the document issued by the General Archival Office regulating the archives of local health units and hospitals (so-called Schola Salernitana), available athttp://www.archivi.beniculturali.it, as emended by other sources of regulations. For more information, please contact the Data processing reference person at the Office of the Director of Health Care Activities or the DPO at the addresses below.

In the cases provided for by the law, you have the right to access to your personal data, allowing to change, integrate, delete or withdraw authorization to process it (articles 15 et seq. of the Regulation). You also have the right to lodge a complaint with the Authority for the protection of personal data, if you deem that your rights have been infringed. For further information on your rights please see the fact sheet available at the following link.

 

Under art 15 et seq. of the Regulation, you have the right to obtain:

  • Confirmation that your personal data is stored in ISMETT’s archives, and to obtain a hardcopy or electronic copy, and information on data processing (purpose, data type, recipients, storage time, etc.).
  • Correction or integration of data.
  • Deletion of data if you withdraw your consent or if there is no juridical basis for the processing.
  • If conditions apply, obtain personal data in a structured form.

If conditions apply, all data subjects also have the right to lodge a complaint with the Authority for the protection of personal data, being it the supervisory authority, according to the mandatory procedures. A template for the exercise of rights drafted by the Authority for the protection of personal data is available at this link.

 

Furthermore:

  • Once your dossier is created you may:
    • withdraw your consent to its implementation;
    • request to block some clinical events;
    • visualize the accesses that have taken place.

 

  • If you have provided consent to using your data for research purposes, to verify the quality and appropriateness of patient care and treatments, and to schedule clinical activity will be able to:
    • withdraw your consent to the processing of your data and samples for research purposes at any time, and this will not affect your treatment in any way;
    • request the rectification or integration of your data: in this case the requests will be registered without changing the data, if this has no significant impact on the study outcome;
    • request that your data used for research purposes be transformed into anonymous form;
    • obtain information on the projects in which your data have been used, and the list of the centers involved in these projects.

 

You may exercise your rights mailing the Data processing reference person at the Office of the Director of Health Care Activities at the co-data controllers’ address or at direzionesanitariaprivacy@ismett.edu or contacting the ISMETT DPO at: ISMETT- Responsabile della Protezione dei dati personali, Via Discesa dei Giudici n. 4, 90133 Palermo (Italy), or dataprotectionofficer@ismett.edu.

With reference to the data processed for the purposes of studies or researches, the above rights may be exercised contacting the Data processing reference person at the Office of Research at the co-data controllers’ address or at responsabileprivacyufficioricerca@ismett.edu.

Rights may be exercised filing a request to the Data processing reference person at the Office of the Director of Health Care Activities at the co-data controllers’ address or at direzionesanitariaprivacy@ismett.edu contacting the ISMETT DPO at: ISMETT- Responsabile della Protezione dei dati personali, Via Discesa dei Giudici 4, 90133 Palermo (Italy), or dataprotectionofficer@ismett.edu.

With reference to data processed for purpose of studies and research, the above rights may be exercised contacting the Data processing reference person at the Office of Research at the co-data controllers’ address or at responsabileprivacyufficioricerca@ismett.edu.

 

Co-data controllers are Istituto Mediterraneo per i Trapianti e Terapie ad Alta Specializzazione S.r.l. and UPMC Italy S.r.l., both headquartered in Discesa dei Giudici 4, 90133 Palermo, Italy.

 

Co-data controllers are Istituto Mediterraneo per i Trapianti e Terapie ad Alta Specializzazione S.r.l. and UPMC Italy S.r.l., both headquartered in Discesa dei Giudici 4, 90133 Palermo, Italy.

 

Last update: December 2018